Penetration Testing Services
What is Penetration Testing?
Penetration testing, often referred to as ethical hacking or pen testing, is a cybersecurity practice that involves simulating a cyberattack on a computer system, network, or application to identify vulnerabilities and weaknesses. The goal of pen testing is to assess the security of the target system by attempting to exploit potential vulnerabilities in a controlled and ethical manner.
Which facility types would benefit from Penetration Testing?
All facility types that have any form of Internet connectivity or offer any form of Internet service would benefit from conducting regular pen testing including:
-
VFX
-
Animation
-
Live Action
-
Post Production
-
Subtitle and Dubbing
-
Replication and Distribution
-
Broadcasters
-
Cinemas
-
TV Stations
-
Radio Stations
-
Video Streaming Services
-
Music Streaming Services
-
Digital Asset Management Platforms
-
Cloud Render Platforms
-
Gaming Platforms
-
Digital Publishing Platforms
Why does my facility need to conduct Penetration Testing?
Pen testing is a crucial component of a comprehensive cybersecurity strategy. It helps your business stay ahead of potential threats, comply with guidelines and regulations, and maintain a robust security posture in an ever-evolving threat landscape. If you are considering completing a TPN Blue or Gold Shield Assessment or are about to be assessed directly by an MPA, CDSA, or ACE member studio content owner such as Disney or Netflix, then you must provide evidence that you have conducted a penetration test in the preceding 12 months. Pen testing should be conducted independently by a third-party organisation unrelated to your business.
Vulnerability Scanning vs Penetration Testing?
So what are the differences between vulnerability testing and pen testing? In a nutshell, vulnerability scanning is generally automated and focuses on identifying potential system weaknesses, while penetration testing involves active attempts to exploit vulnerabilities and provides a deeper understanding of a system's security posture. Vulnerability scanning and pen testing are both important cybersecurity practices, but they serve different purposes and involve distinct methodologies:
Vulnerability Scanning
-
Objective: The primary goal of vulnerability scanning is to identify and locate potential security vulnerabilities in a system or network.
-
Methodology: Automated tools are used to scan a network, system, or application for known vulnerabilities. These tools compare the system's configuration and software versions against a database of known vulnerabilities to identify potential weaknesses.
-
Depth: Vulnerability scanning is usually automated and provides a broad overview of potential vulnerabilities. It may not provide in-depth information on the exploitation of vulnerabilities or the impact of potential attacks.
-
Frequency: Vulnerability scanning can be performed regularly as part of a proactive security strategy.
Penetration Testing
-
Objective: Penetration testing involves simulating real-world cyberattacks to actively assess the security of a system or network.
-
Methodology: Skilled cybersecurity professionals use a variety of tools and techniques to exploit vulnerabilities identified in a system. The goal is to understand the extent to which unauthorised access or data breaches can occur and to provide recommendations for improving security.
-
Depth: Penetration testing goes beyond vulnerability scanning by actively attempting to exploit identified vulnerabilities. This includes assessing the impact of potential security breaches and evaluating the effectiveness of existing security controls.
-
Frequency: Penetration testing is typically conducted periodically, often after major system changes or as part of a comprehensive security assessment.
MPA Content Security Best Practices control requirements
Groundwire's pen testing services are designed to conform with and meet the control requirements of the MPA Content Security Best Practices v5.2 on the proviso the controls are applicable and in scope:
-
PS-4.2 [Physical Security / Monitoring / Data Centres, Co-locations & Cloud Providers]
Penetration testing to include all and any relevant networks and systems located in data centres, co-locations, and with cloud service providers -
TS-2.9 [Technical Security / Network Security / Remote Access]
Penetration testing to include all and any Work From Home / Remote Working environments from where remote access to systems and networks is initiated -
TS-4.0 [Technical Security / Vulnerability Management / Vulnerability Management]
Regular vulnerability scanning of internal and external networks, production networks, non-production networks, virtual machines, containers and APIs or after any major infrastructure or application change -
TS-4.1 [Technical Security / Vulnerability Management / Penetration Testing]
Annual penetration testing to cover all external IP ranges, hosts, web applications, and APIs incorporating unauthenticated and authenticated scanning across multiple network segments and locations or after any major infrastructure or application change.
Penetration Testing Service Pricing
Groundwire's pen testing service package pricing is summarised below. Prices are in Australian Dollars (AUD) and exclusive of GST. The actual penetration testing is conducted by Radiant Security utilising Certified Ethical Hackers domiciled in Australia.
Pen Test Package
Description
For facilities with a handful of public IPs, no DMZ, no VPN remote access, and no Internet-facing services.
Total IPs/Hosts
1-5
Delivery Timeframe
3 Business Days
Applicable Controls
TS-4.0, TS-4.1
Price Estimate (AUD)
$2,200-$4,000
Pen Test Package
Description
For facilities with a small number of public IPs, optional DMZ and Internet-facing services, optional remote access (e.g. VPN, PCoIP).
Total IPs/Hosts
6-30
Delivery Timeframe
5-10 Business Days
Applicable Controls
TS-2.9, TS-4.0, TS-4.1
Price Estimate (AUD)
$4,000-$7,500
Pen Test Package
Description
For facilities with a larger number of public IPs spread across multiple on-premises facilities, data centres, co-location centres, and cloud infrastructures.
Total IPs/Hosts
31-100
Delivery Timeframe
10+ Business Days
Applicable Controls
PS-4.2, TS-2.9, TS-4.0, TS-4.1
Price Estimate (AUD)
$7,500-$10,000
Pen Test Package
Description
For facilities with a complex Internet-facing presence offering distributed remote access, and multiple Internet-facing services, on-premises facilities, data centres, co-locations, and cloud infrastructures.
Total IPs/Hosts
100+
Delivery Timeframe
10+ Business Days
Applicable Controls
PS-4.2, TS-2.9, TS-4.0, TS-4.1
Price Estimate (AUD)
$10,000+
Have questions about Penetration Testing?
Penetration Test Procedure
To complete a successful pen test, the following action items will need to occur:
-
Review and sign a mutual bi-directional NDA between your business and Groundwire
-
Conduct a 30-minute discovery meeting with your business's stakeholders to confirm the scope and timeframe of the pen test
-
Review and sign a master service delivery agreement between your business and Groundwire
-
Groundwire will submit an invoice for payment of the services. Payment and payment milestones are subject to the scope of work and delivery timeframe
-
Schedule when the penetration testing will occur
-
Conduct the pen testing. This typically involves a series of steps including planning, reconnaissance, scanning, enumeration, vulnerability analysis, exploitation, and post-exploitation assessment. Temporary configuration changes may need to be made to your infrastructure and systems to allow the testing to be conducted successfully. These changes will need to be rolled back once testing has concluded
-
Document findings and prepare recommendations in a report
-
Submission of the report to stakeholders for mutual review
-
Cleanup and remediation meeting.
Penetration Testing Deliverables
Groundwire will deliver a comprehensive pen test report containing the following items at a minimum:
-
Scope and definitions
-
Testing methodology
-
Penetration testing results
-
Vulnerability testing results
- A list of encountered vulnerabilities
- Risk rating of each encountered vulnerability (CVE/CVSS)
- Vulnerability exploitability
- Remediation steps and recommendations.
Request a Quote
Get a quote today! Please contact us and we will get back to you ASAP.